.png){kind=logo}
Implement Initial Device Identities for CRA
In the context of the EU Cyber Resilience Act (CRA), ensuring device integrity from the earliest stage of operation is a critical cybersecurity objective. Annex I of the CRA outlines essential requirements that all products must meet regardless of classification. While detailed harmonized standards are still under development (expected by September 2026), manufacturers are already under pressure to align product designs with CRA expectations ahead of the regulation’s enforcement in December 2027.
Initial Device Certificates (IDevIDs), based on IEEE 802.1AR, offer a proven mechanism to establish strong, hardware-bound identity that supports secure boot, authenticated communication, and verifiable audit trails. This guide explores how IDevIDs can help meet CRA obligations while enabling scalable, automated provisioning and trust enforcement across the supply chain.
The guide is designed for embedded engineers, platform architects, and product security teams responsible for building connected products that must meet cybersecurity regulations like the CRA. It also serves compliance owners and technical decision-makers evaluating trust and identity mechanisms for secure manufacturing and provisioning processes.
Key Challenges in Meeting CRA Product Security Requirements
Translating CRA principles into engineering practice is not straightforward. Manufacturers must balance regulatory expectations with technical complexity, global supply chains, and long product lifecycles. The following challenges commonly arise when implementing secure identities and signing mechanisms under the CRA:
Navigating CRA compliance without finalized harmonized standards
Securing device identity from manufacturing through deployment
Preventing spoofing, impersonation, and unauthorized device access
Enabling secure, scalable onboarding across distributed environments
Managing trusted identities and certificates across global supply chains
Building audit-ready infrastructure for identity and signing operations
Disclaimer: This guide provides one possible interpretation of the Cyber Resilience Act (CRA) and outlines how enabling IDevIDs may contribute to compliance efforts.
Keyfactor anticipates that forthcoming harmonized standards will align with this interpretation; however, at the time of writing, Keyfactor does not have direct involvement or firsthand insight into the development of those standards.
Initial Device Certificates
An Initial Device Identifier is a unique, non-volatile certificate provisioned into a device at the time of manufacturing. One type of Initial Device Identifier, is known as an IDevID and is defined by IEEE 802.1AR. They are X.509 certificates tied to a device’s immutable identity and signed by a trusted manufacturer Certificate Authority (CA)/PKI.
These certificates are meant to live for the lifetime of the device and prove that the device was manufactured by the original manufacturer. By definition, these are issued with a lifetime of one second before the year 10,000. Importantly, they are created using secure processes and are resistant to tampering or duplication, enabling strong assurance that the device is what it claims to be.
Use of IDevIDs in the Supply Chain
IDevIDs allow downstream entities to:
Authenticate devices upon delivery or deployment.
Enforce access control before allowing device provisioning or software execution.
Enable audit trails linked to a specific physical device.
They also simplify remote attestation, secure onboarding, and zero-touch provisioning in distributed environments.
Alignment with CRA Annex I
The following table illustrates how IDevIDs map to CRA Essential Cybersecurity Requirements:
CRA Annex I Part I Clause | Verbatim Text | Initial Device Certificates |
|---|---|---|
(1) | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | ✅ IDevIDs provide a foundational identity anchor that enables risk-based trust decisions. |
(2)(a) | Be made available on the market without known exploitable vulnerabilities. | ✅ Prevents spoofing and impersonation by establishing an immutable trust. |
(2)(d) | Ensure protection from unauthorised access by appropriate control mechanisms... | ✅ Ensures only authorized devices access services via verified certificates. |
(2)(f) | Protect the integrity of stored, transmitted or otherwise processed data... | ✅ Enables encrypted channels bound to device identity, preserving integrity. |
(2)(j) | Be designed...to limit attack surfaces, including external interfaces. | ✅ Authenticated provisioning flows minimize interfaces exposed to untrusted actors. |
(2)(k) | Reduce the impact of an incident using appropriate exploitation mitigation mechanisms... | ✅ Disallows rogue or unauthorized devices from rejoining a network or obtaining firmware. |
(2)(l) | Provide security related information by recording and monitoring relevant internal activity... | ✅ Allows device-linked audit records, ensuring accountability. |
Risks without Initial Device Certificates
Without an IDevID or equivalent trust anchor:
Devices may impersonate others or join a network without verification.
Zero-trust non-touch onboarding becomes difficult.
Rogue devices may download authentic firmware and begin to attack the firmware.
Remediation workflows lose precision.
How Keyfactor Helps
EJBCA PKI provides the foundation for CRA-compliant product development by enabling manufacturers to issue and manage Initial Device Identities (IDevIDs) at scale. These device-bound credentials establish trust from the moment a product leaves the factory.
Key capabilities include:
Scalable Certificate Issuance – Manage IDevIDs across large or multiple device fleets.
Secure Manufacturing – Issue IDevIDs in factories or provisioning centers with keys generated and stored in HSMs.
Provisioning Integration – Automate certificate issuance and validation during device onboarding.
Trusted Firmware Distribution – Ensure signed firmware updates are delivered only to verified device identities.
Comprehensive Auditability – Log all identity and signing operations to support CRA conformity assessments.
EJBCA PKI setup for issuing and managing Initial Device Identities (IDevIDs)
Benefits:
Prevent spoofing, impersonation, and rogue devices.
Establish strong device-bound trust from day zero.
Simplify CRA compliance with verifiable cybersecurity artifacts.
Conclusion
Initial Device Certificates (IDevIDs) are a foundational tool for meeting the EU Cyber Resilience Act's cybersecurity requirements. By anchoring device identity to hardware and issuing immutable, verifiable certificates at manufacturing time, organizations can enforce trust across provisioning, communication, and software deployment. While final harmonized standards are still in development, IDevIDs already align with key Annex I requirements and enable strong security practices.
EJBCA PKI supports this approach by providing secure certificate issuance in manufacturing environments, integration with Hardware Security Modules (HSMs), and validation infrastructure to manage device identities throughout the product lifecycle. These capabilities help teams build reliable, scalable, and auditable systems that are positioned for CRA compliance and long-term supply chain security.
Related Content
Complementary Solution Areas and Guides
The EU CRA Requirements: Security and Compliance Across the Product Lifecycle - An engineering-focused summary of the CRA.
Implementing Secure Boot for CRA - Validate firmware signatures at startup to ensure device integrity from the moment it powers on.
Implementing Secure Firmware Updates for CRA - Sign firmware and software updates to guarantee authenticity and prevent tampering in the field.
Implementing Operational Certificates for CRA – Automate the lifecycle of operational certificates to enable secure communications, access control, and encrypted services.
Implementing SSH Certificates for CRA – Replace unmanaged SSH keys with certificate-based access, enforce security policies, and enable auditability.
Contact us
Request a live demo with one of our experts — whether you want to explore workflows hands-on or discuss your specific needs.